Appengine Flex 服务帐户权限不足,无法访问 Drive 文件夹

Insufficient Permission with Appengine Flex service account to access Drive folder

我编写了一个应用程序,它使用了官方记录的所有 clients/sdks。

credentials = GoogleCredentials \
    .get_application_default() \
    .create_scoped('https://www.googleapis.com/auth/drive')
drive = discovery.build(
    'drive',
    'v3',
    http=self.credentials.authorize(Http())
)
drive.files() \
    .get(fileId=file_id) \
    .execute()

它在本地使用从面板生成的服务帐户完美运行,但是当我部署应用程序时,AppEngine 柔性环境中的服务帐户遇到问题。

17:15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99: UserWarning: You have requested explicit scopes to be used with a GCE service account. 17:15:04.000 Using this argument will have no effect on the actual scopes for tokens 17:15:04.000 requested. These scopes are set at VM instance creation time and 17:15:04.000 can't be overridden in the request. 17:15:04.000 17:15:04.000 warnings.warn(_SCOPES_WARNING) 17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/drive/v3/rest 17:15:04.000 INFO:oauth2client.client:Attempting refresh to obtain initial access_token 17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json 17:15:04.000 ERROR:root:Failed to retrieve file 0B0K....M1pBNFE. Is it shared with me? project-id@appspot.gserviceaccount.com 17:15:04.000 Traceback (most recent call last): 17:15:04.000 File "/home/vmagent/app/script.py", line 45, in get 17:15:04.000 .execute() 17:15:04.000 File "/env/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper 17:15:04.000 return wrapped(*args, **kwargs) 17:15:04.000 File "/env/lib/python3.4/site-packages/googleapiclient/http.py", line 760, in execute 17:15:04.000 raise HttpError(resp, content, uri=self.uri) 17:15:04.000 googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json returned "Insufficient Permission">

我检查了权限,它们都已设置。问题可能是由于 "Using this argument will have no effect..." 消息引起的,该消息在尝试创建作用域凭据时出现。

正如您在之前的评论中提到的,这是一个 known issue. As described by araf...@google.com,灵活环境中的 App Engine 实例似乎将 Uderlying GCE VM 的凭据假定为应用程序默认凭据。

As a workaround in the meantime, you can use a manually created service account exported as a JSON key stored in your app, as per Using OAuth 2.0 for Server to Server Applications.

对于受此问题影响或解决方法无效的任何人,请post said issue 上的任何相关信息。